fake myetherwallet.com steals ethereum wallets

A very unusual phishing attempt today, trying to steal digital money from your Ethereum Wallet that for most people won’t work because the average Netizen doesn’t use a digital wallet and hasn’t got a clue what they are or how they work! I am included in that majority.

I know the very basics of how they work but don’t use a wallet myself and definitely don’t really understand how the whole digital money thing works. The idea of virtual money that has no physical manifestation is too foreign for many of us. We trust banks to give us cash when we want it. We don’t understand virtual money that isn’t backed by cash or something seen as valuable like gold or jewellery etc. I can’t really get my head around the encryption system or how it actually works without the wrong person getting the money. I suppose it is an age related thing, where people of my generation are more used to handling cash or credit and debit cards and bank transfers of a physical amount of money are about our limit.

But for a minority of users this is potentially a very effective phish that will steal your Ethereum wallet. The fake website they have chosen https://mymyetherwallet.com/#view-wallet-info is so close to the genuine https://myetherwallet.com/#view-wallet-info that almost anybody could miss the extra my and go to the website.

Update: I am also finding the same phishing attack on these websites, complete with a red warning bar

The home page even allows you to create a new wallet with what looks like genuine keys that the criminals have immediately got.

It actually a very well created and well done website.

Where it fails is on the email which hits spam filters and gets a spam score of over 70. ( if the scammers had used a better email sending server, it probably would have bypassed many spam filters. ) I am sure though that such a well done website which looks to be identical to the genuine https://myetherwallet.com site could easily be used in other campaigns. A quick Google search is showing me that previous similar attacks have used instant messaging services, Social media and other private services to spread the links. I don’t see any reason that these criminals won’t follow that path as well, until the fake website is taken down.

The only big difference is that the genuine site uses an EV certificate which in IE gives a totally green url bar, but the website doesn’t work in IE. In chrome of Firefox, you get less in your face security warnings and have to actually look very carefully to see the site information SSl certificate name and company listed.

They use email addresses and subjects that will entice, persuade, scare or shock a user to read the email and open the attachment.

The email looks like:

From: cathrynmccallister@mailcatch.com

Date: Wed 18/10/2017 11:09

Subject: You have a new transaction

Body content:

Dear User,

You have a new transaction on your Ethereum Wallet.

Login to check your balance:

https://mymyetherwallet.com/#view-wallet-info

Screenshot:

If you follow the link in the email you see a webpage looking like this: https://mymyetherwallet.com/#view-wallet-info

Fake myetherwallet.com site

The cheeky criminal even warns you on the red warning bar to Always check the URL and look for MYETHERWALLET LLC [US] Certificate up there. Look for https://www.myetherwallet.com/. Be safe & secure.

A lot of visitors will see the green padlock and think it is safe.

The genuine site looks like this. It is very difficult to tell the difference

Genuine myetherwallet.com site

Even looking at the digital signatures it is extremely hard to tell that this is a fake, false, phishing site, using similar identification addresses in the certificates. The biggest difference is the fake myetherwallet.com site uses a Lets encrypt free certificate, whereas the genuine myetherwallet.com site uses a Digicert Extended Validation certificate

We all get very blasé about phishing and think we know so much that we will never fall for a phishing attempt. Don’t assume that all attempts are obvious. Watch for any site that invites you to enter ANY personal or financial information. It might be an email that says “you have won a prize” or “sign up to this website for discounts, prizes and special offers”

All of these emails use Social engineering tricks to persuade you to open the attachments that come with the email. Whether it is a message saying “look at this picture of me I took last night” and it appears to come from a friend or is more targeted at somebody who regularly is likely to receive PDF attachments or Word .doc attachments or any other common file that you use every day. Or whether it is a straight forward attempt, like this one, to steal your personal, bank, credit card or email and social networking log in details. Be very careful when unzipping them and make sure you have “show known file extensions enabled“, And then look carefully at the unzipped file. If it says .EXE then it is a problem and should not be run or opened.